If LinkedIn Hasn’t Fixed Its Massive Security Breach, A New Password May Not Be Enough

For a Web firm like LinkedIn, there’s a fate worse than confessing to a massive security breach: Failing to detect an ongoing one.

Hours after reports surfaced Wednesday that LinkedIn had suffered an intrusion by Russian hackers who leaked 6.5 million of the site’s passwords, LinkedIn has yet to confirm that it has either found or re-mediated the problem. “Our team is currently looking into reports of stolen passwords. Stay tuned for more,” the company wrote in its Twitter feed around 6am Pacific time Wednesday. Around 9am, it still hadn’t confirmed the leak: Our team continues to investigate, but at this time, we’re still unable to confirm that any security breach has occurred. Stay tuned here.”

The file posted online by hackers contained 6.46 million LinkedIn passwords stored in a “hashed” form designed to be indecipherable if breached. But the company failed to “salt” its hashes, a process that adds random values to the data and makes it far more difficult to crack. It may be only a matter of time until users’ passwords are successfully unscrambled; Posts to some password cracking forums indicated that as many as 300,000 of the passwords may have already been deciphered.

Many security experts have recommended that users change their passwords. But if LinkedIn’s hackers still have hidden access to the company’s servers, that may not be enough. “If LinkedIn hasn’t been able to confirm the breach, they haven’t fixed it either,” wrote Twitter’s security and cryptography guru Moxie Marlin in his Twitter feed. “You can change your PW, but attackers can just get it again.”

One measure users can take to protect themselves: Change their password to a stronger one that may be harder to decipher from its hashed form even hackers do have ongoing access to LinkedIn’s systems. That means choosing a password that’s long, incorporates punctuation and symbols, or includes an entire phrase rather than a single word. Google offers some more tips for strong passwords here. Users should also change their password for any site that used the same one that may have been breached on LinkedIn.

Rapid7, one of the two firms that confirmed the breach, has suggested in a statement to press that users should indeed change their passwords, but that a single switch may not keep them safe. ”By all indications it doesn’t appear that LinkedIn has contained the compromise yet, so everyone should be aware that they may have to change their passwords multiple times,” writes Marcus Carey, a researcher at the security firm. “You should still go ahead and change it straight away, but you may have to change it for a second time if it turns out the attackers are still entrenched in LinkedIn’s systems.”

Update: LinkedIn now confirms that some of its passwords were included in the hackers’ leak, though it hasn’t specified how many. The company says it’s now salting hashed passwords to further protect any changed and unaffected passwords. It hasn’t yet commented on whether its breach has been identified or remediated.